Menu
AWS CloudTrail
User Guide (Version 1.0)

Creating a Trail for the First Time

The following steps create a trail which applies to all regions in your account. The trail is based in the region that you choose in the console when you create the trail. In these steps, you also create an Amazon S3 bucket to receive your log files. Log files from all regions will be delivered to your bucket. Optionally, you can configure Amazon SNS to notify you when log files are delivered.

Note

You can use an existing bucket, but we recommend that you create a new one. When you create a new bucket, CloudTrail creates the necessary IAM policies for you and applies them to the bucket.

To create a CloudTrail trail with the AWS Management Console

  1. Sign in to the AWS Management Console and open the CloudTrail console at https://console.aws.amazon.com/cloudtrail/.

  2. Choose Get Started Now.

    The Turn on CloudTrail page appears.

  3. Choose the region where you want the trail to be based.

  4. In the Trail name box, type a name for your trail. For trail naming requirements, see CloudTrail Trail Naming Requirements.

  5. For Apply trail to all regions, choose Yes to receive log files from all regions. Yes is the default (and recommended) setting.

  6. For Create a new S3 bucket, choose Yes to create a new bucket or No to use an existing one.

    Note

    If you chose No, choose an existing Amazon S3 bucket. The bucket policy must grant CloudTrail permission to write to it. You can only specify an existing bucket owned by the account under which the trail is created. For information about manually editing the policy for a bucket, see Amazon S3 Bucket Policy for CloudTrail.

  7. In the S3 bucket field, type a name for the bucket you want to designate for log file storage. The name must be globally unique. For more information about S3 bucket naming rules and conventions, see Amazon S3 Bucket Naming Requirements.

  8. (Optional) If you want to enter a log file prefix for your bucket, enable log file validation, or configure Amazon SNS notifications, choose Advanced.

  9. In the Log file prefix field, type a prefix for your Amazon S3 bucket. The prefix is an addition to the URL for an Amazon S3 object that helps create a folder-like organization in your bucket. The location where your log files will be stored is shown under the text field.

  10. For Enable log file validation, choose Yes to have log digests delivered to your S3 bucket. You can use the digest files to verify that your log files did not change after CloudTrail delivered them. By default, this feature is enabled for new trails. For more information, see Validating CloudTrail Log File Integrity.

  11. For Send SNS notification for every log file delivery, choose Yes if you want to be notified each time a log is delivered to your bucket. CloudTrail stores multiple events in a log file. SNS notifications are sent for every log file, not for every event.

    1. For Create a new SNS topic, choose Yes to create a new topic, or choose No to use an existing topic. If you are creating a trail that applies to all regions, SNS notifications for log file deliveries in all regions will be sent to the single SNS topic that you create.

      Note

      If you chose No, choose an existing topic. You can also enter the ARN of a topic from another region or from an account with appropriate permissions. For more information, see Configuring CloudTrail to Send Notifications.

  12. If you chose Yes, in the SNS topic field, type a name.

    If you create a topic, you must subscribe to the topic to be notified of log file delivery. You can subscribe from the Amazon SNS console. Due to the frequency of notifications, we recommend that you configure the subscription to use an Amazon SQS queue to handle notifications programmatically. For more information, see the Amazon Simple Notification Service Getting Started Guide.

  13. Choose Turn On.

    The new trail will appear on the Trails page, which shows your trails from all regions. In about 15 minutes, CloudTrail publishes log files that show the AWS API calls made in your account.

Next Steps

See Updating a Trail if you want to do the following:

On this page: